close
keyboard_arrow_left
Table of Contents
- play_arrow IPsec 基础知识
- play_arrow Junos OS 中的 IPsec VPN
- play_arrow VPN 配置概述
- play_arrow 基于策略的 VPN
- play_arrow 基于路由的 VPN
- play_arrow 基于服务等级的 VPN
- play_arrow NAT-T
- play_arrow ADVPN
- play_arrow AutoVPN
- play_arrow 远程访问 VPN
- play_arrow 监控 VPN
- play_arrow 性能调优
- play_arrow 故障排除
- play_arrow 配置语句和操作命令
list Table of Contents
组 VPNv2
date_range
18-Jan-25
组 VPNv2 引入了可信组的概念,以消除点对点隧道及其关联的叠加路由。所有组成员共享一个公共安全关联 (SA),也称为组 SA。
组 VPNv2 概述
IPsec 安全关联 (SA) 是虚拟专用网 (VPN) 参与者之间的单向协议,用于定义用于身份验证和加密算法、密钥交换机制和安全通信的规则。在许多 VPN 实施中,SA 是两个安全设备之间的点对点隧道(请参阅 图 1)。
图 1: 点对点 SA
组 VPNv2 扩展了 IPsec 体系结构以支持由一组安全设备共享的 SA(请参阅 图 2)。使用组 VPNv2,可以通过在外部标头中保留原始源和目标 IP 地址来实现任意到任意连接。SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。
图 2: 共享 SA
组 VPNv2 是在适用于 SRX 系列防火墙的早期 Junos OS 版本中引入的组 VPN 功能的增强版本。瞻博网络设备上的组 VPNv2 支持 RFC 6407( 组解释域 (GDOI),并可与符合 RFC 6407 的其他设备互操作。
了解 VPNv2 组的 GDOI 协议
组 VPNv2 基于 RFC 6407, 即组解释域 (GDOI)。此 RFC 描述了组成员和组服务器之间用于在组成员之间建立 SA 的协议。GDOI 消息为一组设备创建、维护或删除 SA。vSRX 虚拟防火墙实例和所有 SRX 系列防火墙(SRX5400、SRX5600 和 SRX5800 设备除外)支持 VPNv2 组。
GDOI 协议在 UDP 端口 848 上运行。互联网安全关联和密钥管理协议 (ISAKMP) 定义了两个协商阶段,用于为 IKE IPsec 隧道建立 SA。阶段 1 允许两台设备为其他安全协议(如 GDOI)建立 ISAKMP SA 。
使用组 VPNv2,将在组服务器和组成员之间执行第 1 阶段 ISAKMP SA 协商。服务器和成员必须使用相同的 ISAKMP 策略。服务器和成员之间的 GDOI 交换建立与其他组成员共享的 SA。组成员不需要与其他组成员协商 IPsec。GDOI 交换 必须受 ISAKMP 第 1 阶段 SA 的保护。
有两种类型的 GDOI 交换:
交换
groupkey-pull允许成员从服务器请求组共享的 SA 和密钥。组成员必须通过交换向groupkey-pull组服务器注册。groupkey-push交换是一条重新生成密钥的消息,允许服务器在现有组 SA 过期之前向成员发送组 SA 和密钥。重新生成密钥消息是从服务器发送到成员的未经请求的消息。
了解组 VPNv2 服务器和成员
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。VPNv2 组的中心是组控制器/密钥服务器 (GCKS)。服务器集群可用于提供 GCKS 冗余。
GCKS 或组服务器执行以下任务:
控制组成员身份。
生成加密密钥。
向成员发送新的组 SA 和密钥。组成员根据组服务器提供的组 SA 和密钥加密流量。
一个组服务器可以为多个组提供服务。单个安全设备可以是多个组的成员。
每个组都由一个组标识符表示,该标识符是介于 1 和 4,294,967,295 之间的数字。组服务器和组成员通过组标识符链接在一起。每个组只能有一个组标识符,多个组不能使用相同的组标识符。
以下是组 VPNv2 服务器和成员操作的高级视图:
组服务器侦听 UDP 端口 848 以供成员注册。
若要向组服务器注册,成员首先向服务器建立 IKE SA。成员设备必须提供正确的 IKE 第 1 阶段身份验证才能加入组。支持基于每个成员的预共享密钥身份验证。
成功进行身份验证和注册后,成员设备通过 GDOI
groupkey-pull交换从服务器检索指定组标识符的组 SA 和密钥。服务器将成员添加到组的成员资格中。
组成员交换使用组 SA 密钥加密的数据包。
服务器使用重新生成密钥 (GDOI groupkey-push) 消息向组成员发送 SA 和密钥刷新。服务器在 SA 过期之前发送重新生成密钥消息,以确保有效的密钥可用于加密组成员之间的流量。
服务器发送的重新生成密钥消息需要来自每个组成员的确认 (ack) 消息。如果服务器未收到来自成员的确认消息,则会以配置 retransmission-period 的方式重新传输重新生成密钥消息(默认值为 10 秒)。如果配置 number-of-retransmission 后成员没有回复(默认值为 2 次),则该成员将从服务器的注册成员中删除。服务器和成员之间的 IKE SA 也将被删除。
当组 SA 发生更改时,服务器还会发送重新生成密钥消息,以便向成员提供新密钥。
了解组 VPNv2 限制
组 VPNv2 服务器仅与支持 RFC 6407( 组解释域 (GDOI))的组 VPNv2 成员一起运行。
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。此版本的组 VPNv2 不支持以下内容:
SNMP。
来自思科 GET VPN 服务器的拒绝策略。
对第 1 阶段 IKE 身份验证的 PKI 支持。
组服务器和成员的共置,其中服务器和成员功能在同一物理设备中共存。
配置为机箱群集的组成员。
用于配置和监控的 J-Web 界面。
组播数据流量。
在无法保留 IP 地址的部署中(例如,在使用 NAT 的互联网上),不支持组 VPNv2。
了解组 VPNv2 服务器成员通信
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。服务器成员通信允许服务器向成员发送 GDOI groupkey-push (密钥)消息。如果未为组配置服务器成员通信,则成员可以发送 GDOI groupkey-pull 消息以注册并向服务器重新注册,但服务器无法向成员发送 groupkey-push 消息。
服务器成员通信是使用 [edit security group-vpn server] 层次结构中的server-member-communication 配置语句为组配置的。可以定义以下选项:
用于向服务器验证成员的身份验证算法(sha-256 或 sha-384)。没有默认算法。
用于服务器和成员之间通信的加密算法。您可以指定 aes-128-cbc、aes-192-cbc 或 aes-256-cbc。没有默认算法。
发送给组成员的重新生成密钥消息的单播通信类型。
密钥加密密钥 (KEK) 的生存期。默认设置为 3600 秒。
组服务器在没有响应的情况下向组成员重新传输
groupkey-push邮件的次数(默认值为 2 次)和重新传输之间的时间段(默认值为 10 秒)。
如果未配置组的服务器成员通信,则命令显示 show security group-vpn server registered-members 的成员资格列表将显示已在服务器中注册的组成员;成员可以是活动的,也可以不是活动成员。配置组的服务器成员通信时,将清除组成员身份列表。对于单播通信类型,该 show security group-vpn server registered-members 命令仅显示活动成员。
了解组 VPNv2 关键操作
本主题包含以下部分:
组键
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。组服务器维护一个数据库来跟踪 VPN 组、组成员和组密钥之间的关系。服务器可以将两种类型的组键下载给成员:
密钥加密密钥 (KEK) — 用于加密 SA 重新密钥 (GDOI
groupkey-push) 交换。每个组支持一个 KEK。流量加密密钥 (TEK) — 用于加密和解密组成员之间的 IPsec 数据流量。
仅当成员上配置了匹配 策略时,组成员才会接受与 SA 关联的密钥。将为组安装接受的密钥,而丢弃拒绝的密钥。
重新键入消息
如果组配置为服务器成员通信,则服务器将使用重新生成密钥 (GDOI groupkey-push) 消息向组成员发送 SA 和密钥刷新。在 SA 过期之前发送重新密钥消息;这可确保有效密钥可用于加密组成员之间的流量。
当组成员身份发生更改或组 SA 发生更改(例如,添加或删除组策略)时,服务器还会发送密钥消息,以便向成员提供新密钥。
必须在服务器上配置服务器成员通信选项,以允许服务器向组成员发送重新生成密钥消息。
组服务器向每个组成员发送单播密钥消息的一个副本。收到重新生成密钥消息后,成员必须向服务器发送确认 (ACK)。如果服务器未收到来自成员的 ACK(包括重新传输重新生成密钥消息),则服务器会将该成员视为非活动状态,并将其从成员列表中删除。服务器停止向成员发送重新生成密钥消息。
number-of-retransmission服务器-成员通信的 和retransmission-period配置语句控制在未从成员收到 ACK 时服务器重新发送密钥消息。
服务器发送密钥消息的时间间隔基于 [edit security group-vpn server group group-name] 层次结构中的配置语句值lifetime-seconds。新密钥在 KEK 和 TEK 密钥到期之前生成。
对于 KEK 配置为 lifetime-seconds 服务器成员通信的一部分;默认值为 3600 秒。TEK 的配置 lifetime-seconds 是针对 IPsec 提议的;默认值为 3600 秒。
会员注册
如果组成员在当前密钥过期之前未从服务器收到新的 SA 密钥,则该成员必须向服务器重新注册并通过 GDOI groupkey-pull 交换获取更新的密钥。
组 VPNv2 配置概述
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。本文介绍配置组VPNv2的主要任务。
组控制器/密钥服务器 (GCKS) 管理组 VPNv2 安全关联 (SA),并生成加密密钥并将其分发给组成员。您可以使用组 VPNv2 服务器群集来提供 GCKS 冗余。请参阅 了解组 VPNv2 服务器群集。
在组服务器上,配置以下内容:
- IKE 第 1 阶段 SA。请参阅 了解组 VPNv2 的 IKE 第 1 阶段配置 。
- IPsec SA。请参阅 了解组 VPNv2 的 IPsec SA 配置。
- VPN 组信息,包括组标识符、组成员的 IKE 网关、组中的最大成员数以及服务器成员通信。组配置包括一个组策略,用于定义应用 SA 和密钥的流量。可以选择配置服务器群集和反重放时间窗口。请参阅 组 VPNv2 配置概述 和 了解组 VPNv2 流量引导。
在组成员上,配置以下内容:
IKE 第 1 阶段 SA。请参阅 了解组 VPNv2 的 IKE 第 1 阶段配置 。
IPsec SA。请参阅 了解组 VPNv2 的 IPsec SA 配置。
IPsec 策略,用于定义传入区域(通常是受保护的 LAN)、传出区域(通常为 WAN)和应用策略的 VPN 组。还可以指定排除或失效开放规则。请参阅 了解组 VPNv2 流量引导。
安全策略,允许在 IPsec 策略中指定的区域之间进行组 VPN 流量。
组 VPNv2 操作需要有效的路由拓扑,以允许客户端设备通过网络到达其预期站点。
该组在服务器上使用 [edit security group-vpn server] 层次结构中的group 配置语句进行配置。
组信息由以下信息组成:
组标识符 - 标识 VPN 组的值。必须在组成员上配置相同的组标识符。
每个组成员都配置了
ike-gateway配置语句。此配置语句可以有多个实例,组的每个成员一个实例。组策略 - 要下载给成员的策略。组策略描述应用 SA 和密钥的流量。请参阅 了解组 VPNv2 流量引导。
成员阈值 - 组中的最大成员数。达到组的成员阈值后,服务器将停止响应
groupkey-pull来自新成员的启动。请参阅 了解组 VPNv2 服务器群集。服务器成员通信 - 允许服务器向成员发送
groupkey-push重新密钥消息的可选配置。服务器群集 - 支持组控制器/密钥服务器 (GCKS) 冗余的可选配置。请参阅 了解组 VPNv2 服务器群集。
防重放 — 检测数据包拦截和重放的可选配置。请参阅 了解组 VPNv2 防重放。
了解 VPNv2 组的 IKE 第 1 阶段配置
组服务器和组成员之间的 IKE 第 1 阶段 SA 建立一个安全通道,用于协商组共享的 IPsec SA。对于瞻博网络安全设备上的标准 IPsec VPN,第 1 阶段 SA 配置包括指定 IKE 提议、策略和网关。
对于组 VPNv2,IKE 第 1 阶段 SA 配置类似于标准 IPsec VPN 的配置,但在 [edit security group-vpn server ike] 和 [edit security group-vpn member ike] 层次结构中执行。SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。
在 IKE 提议配置中,您可以设置身份验证方法以及将用于在参与者之间打开安全通道的身份验证和加密算法。在 IKE 策略配置中,您可以设置协商第 1 阶段通道的模式,指定要使用的密钥交换类型,并引用第 1 阶段提议。在 IKE 网关配置中,引用第 1 阶段策略。
组服务器上的 IKE 提议和策略配置必须与组成员上的 IKE 提议和策略配置匹配。在组服务器上,为每个组成员配置 IKE 网关。在组成员上,IKE 网关配置中最多可以指定四个服务器地址。
了解 VPNv2 组的 IPsec SA 配置
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。服务器和成员在第 1 阶段协商中建立安全且经过身份验证的通道后,它们将继续建立由组成员共享的 IPsec SA,以保护在成员之间传输的数据。虽然组 VPNv2 的 IPsec SA 配置与标准 VPN 的配置类似,但组成员不需要与其他组成员协商 SA。
VPNv2 组的 IPsec 配置包含以下信息:
在组服务器上,为要用于 SA 的安全协议、身份验证和加密算法配置 IPsec 建议。IPsec SA 提议在组服务器上
proposal配置,配置语句位于 [edit security group-vpn server ipsec] 层次结构中。在组成员上,配置了一个 Autokey IKE,该 IKE 引用组标识符、组服务器(使用配置语句配置
ike-gateway)以及成员用于连接到组对等方的接口。在成员vpn上配置 Autokey IKE,配置语句位于 [edit security group-vpn member ipsec] 层次结构中。
另请参阅
了解组 VPNv2 流量控制
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。组服务器将 IPsec 安全关联 (SA) 和密钥分发给指定组的成员。属于同一组的所有成员共享同一组 IPsec SA。安装在特定组成员上的 SA 由与组 SA 关联的策略以及在组成员上配置的 IPsec 策略确定。
在组服务器上配置的组策略
在 VPN 组中,服务器推送到成员的每个组 SA 和密钥都与组策略相关联。组策略描述应使用密钥的流量,包括协议、源地址、源端口、目标地址和目标端口。在服务器上,组策略配置了 match-policy policy-name [edit security group-vpn server group name ipsec-sa name] 层次结构级别的选项。
单个组不能存在相同(配置了相同源地址、目标地址、源端口、目标端口和协议值)的组策略。如果尝试提交包含组相同组策略的配置,则会返回错误。如果发生这种情况,必须先删除其中一个相同的组策略,然后才能提交配置。
在组成员上配置的 IPsec 策略
在组成员上,IPsec 策略包含以下信息:
组流量的传入区域 (
from-zone)。组流量的传出区域 (
to-zone)。应用 IPsec 策略的组的名称。特定的从区域/到区域对只能引用一个组 VPNv2 名称。
组成员用于连接到组 VPNv2 的接口必须属于传出区域。此接口使用 [edit security group-vpn member ipsec vpn vpn-name] 层次结构级别的语句指定group-vpn-external-interface。
在组成员上,IPsec 策略是在 [edit security ipsec-policy] 层次结构级别配置的。将根据为组配置的排除和失效开放规则进一步检查与 IPsec 策略匹配的流量。
失效关闭
默认情况下,与从组服务器接收的排除或失效开放规则或组策略不匹配的流量将被阻止;这称为 故障关闭。
排除和失效开放规则
在组成员上,可以为每个组配置以下类型的规则:
从 VPN 加密中排除的流量。此类流量的示例包括 BGP 或 OSPF 路由协议。要从组中排除流量,请使用配置
set security group-vpn member ipsec vpn vpn-name exclude rule。最多可以配置 10 个排除规则。对客户操作至关重要的流量,如果组成员未收到 IPsec SA 的有效流量加密密钥 (TEK),则必须以明文(未加密)发送。失效开放规则允许此流量流动,同时阻止所有其他流量。使用
set security group-vpn member ipsec vpn vpn-name fail-open rule配置启用失效开放。最多可以配置 10 个失效开放规则。
IPsec 策略和规则的优先级
IPsec 策略和规则对组成员具有以下优先级:
排除定义要从 VPN 加密中排除的流量的规则。
从组服务器下载的组策略。
失效开放规则,用于定义在 SA 没有有效 TEK 时以明文形式发送的流量。
阻止流量的故障关闭策略。如果流量与排除或失效开放规则或组策略不匹配,则这是默认值。
另请参阅
了解组 VPNv2 恢复探测过程
SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。有两种情况可能表示组成员与组服务器和其他组成员不同步:
组成员接收封装安全有效负载 (ESP) 数据包,其中包含无法识别的安全参数索引 (SPI)。
组成员上有传出 IPsec 流量,但没有传入 IPsec 流量。
检测到任一情况时,可以在组成员上触发恢复探测过程。恢复探测过程按特定时间间隔启动 GDOI groupkey-pull 交换,以从组服务器更新成员的 SA。如果存在对不良 SPI 数据包的 DoS 攻击,或者发送方本身不同步,则组成员上的不同步指示可能是误报。为避免系统过载, groupkey-pull 每隔 10、20、40、80、160 和 320 秒重试一次启动。
默认情况下,恢复探测过程处于禁用状态。若要启用恢复探测过程,请在 [edit security group-vpn member ipsec vpn vpn-name] 层次结构级别进行配置recovery-probe。
了解组 VPNv2 防重放
vSRX 虚拟防火墙实例和所有 SRX 系列防火墙(SRX5400、SRX5600 和 SRX5800 设备除外)支持 VPNv2 组防重放。防重放是一项 IPsec 功能,可以检测数据包何时被攻击者拦截然后重放。默认情况下,组的反重播处于禁用状态。
每个 IPsec 数据包都包含一个时间戳。组成员检查数据包的时间戳是否在配置 anti-replay-time-window 的值范围内。如果时间戳超过该值,则会丢弃数据包。
我们建议在支持组 VPNv2 防重放的所有设备上配置 NTP。
在虚拟机管理程序在重负载下运行的主机上的 vSRX 虚拟防火墙实例上运行的组成员可能会遇到问题,这些问题可以通过重新配置 anti-replay-time-window 值来纠正。如果未传输与组成员上的 IPsec 策略匹配的数据, show security group-vpn member ipsec statistics 请检查输出是否存在 D3P 错误。确保 NTP 正常运行。如果出现错误,请调整该 anti-replay-time-window 值。
另请参阅
示例:配置组 VPNv2 服务器和成员
此示例说明如何配置组 VPNv2 服务器以向组 VPNv2 组成员提供组控制器/密钥服务器 (GCKS) 支持。SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。
要求
该示例使用以下硬件和软件组件:
运行 Junos OS 版本 15.1X49-D30 或更高版本且支持组 VPNv2 的受支持的 SRX 系列防火墙或 vSRX 虚拟防火墙实例。此 SRX 系列防火墙或 vSRX 虚拟防火墙实例作为组 VPNv2 服务器运行。
两个受支持的 SRX 系列防火墙或运行 Junos OS 版本 15.1X49-D30 或更高版本且支持组 VPNv2 的 vSRX 虚拟防火墙实例。这些设备或实例作为组 VPNv2 组成员运行。
两台受支持的 MX 系列设备,运行 Junos OS 15.1R2 或更高版本,并支持 VPNv2 组。这些设备作为组 VPNv2 组成员运行。
必须在每台设备上配置主机名、root 管理员密码和管理访问权限。我们建议在每个设备上也配置 NTP。
组 VPNv2 操作需要有效的路由拓扑,以允许客户端设备通过网络到达其预期站点。此示例重点介绍组 VPNv2 配置;未描述路由配置。
概述
在此示例中,组 VPNv2 网络由一个服务器和四个成员组成。其中两个成员是 SRX 系列防火墙或 vSRX 虚拟防火墙实例,另外两个成员是 MX 系列设备。共享组 VPN SA 可保护组成员之间的流量。
组 VPN SA 必须受第 1 阶段 SA 的保护。因此,组 VPN 配置必须包括在组服务器和组成员上配置 IKE 第 1 阶段协商。
必须在组服务器和组成员上配置相同的组标识符。在此示例中,组名称为 GROUP_ID-0001,组标识符为 1。服务器上配置的组策略指定将 SA 和密钥应用于 172.16.0.0/12 范围内子网之间的流量。
在 SRX 系列防火墙或 vSRX 虚拟防火墙组成员上,将为将 LAN 区域作为起始区域(传入流量)并将 WAN 区域作为目标区域(传出流量)的组配置 IPsec 策略。还需要安全策略来允许 LAN 和 WAN 区域之间的流量。
配置
- 配置组服务器
- 配置组成员 GM-0001(SRX 系列防火墙或 vSRX 虚拟防火墙实例)
- 配置组成员 GM-0002(SRX 系列防火墙或 vSRX 虚拟防火墙实例)
- 配置组成员 GM-0003(MX 系列设备)
- 配置组成员 GM-0004(MX 系列设备)
配置组服务器
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层级的 CLI 中,然后从配置模式进入 commit 。
content_copy zoom_out_map
set interfaces ge-0/0/1 unit 0 family inet address 10.10.100.1/24 set security policies global policy 1000 match source-address any set security policies global policy 1000 match destination-address any set security policies global policy 1000 match application any set security policies global policy 1000 match from-zone any set security policies global policy 1000 match to-zone any set security policies global policy 1000 then reject set security policies global policy 1000 then log session-init set security policies global policy 1000 then count set security policies default-policy deny-all set security zones security-zone GROUPVPN host-inbound-traffic system-services ike set security zones security-zone GROUPVPN host-inbound-traffic system-services ssh set security zones security-zone GROUPVPN host-inbound-traffic system-services ping set security zones security-zone GROUPVPN interfaces ge-0/0/1.0 set routing-options static route 10.18.101.0/24 next-hop 10.10.100.254 set routing-options static route 10.18.102.0/24 next-hop 10.10.100.254 set routing-options static route 10.18.103.0/24 next-hop 10.10.100.254 set routing-options static route 10.18.104.0/24 next-hop 10.10.100.254 set security group-vpn server ike proposal PSK-SHA256-DH14-AES256 authentication-method pre-shared-keys set security group-vpn server ike proposal PSK-SHA256-DH14-AES256 authentication-algorithm sha-256 set security group-vpn server ike proposal PSK-SHA256-DH14-AES256 dh-group group14 set security group-vpn server ike proposal PSK-SHA256-DH14-AES256 encryption-algorithm aes-256-cbc set security group-vpn server ike policy GMs mode main set security group-vpn server ike policy GMs proposals PSK-SHA256-DH14-AES256 set security group-vpn server ike policy GMs pre-shared-key ascii-text "$ABC123" set security group-vpn server ike gateway GM-0001 ike-policy GMs set security group-vpn server ike gateway GM-0001 address 10.18.101.1 set security group-vpn server ike gateway GM-0001 local-address 10.10.100.1 set security group-vpn server ike gateway GM-0002 ike-policy GMs set security group-vpn server ike gateway GM-0002 address 10.18.102.1 set security group-vpn server ike gateway GM-0002 local-address 10.10.100.1 set security group-vpn server ike gateway GM-0003 ike-policy GMs set security group-vpn server ike gateway GM-0003 address 10.18.103.1 set security group-vpn server ike gateway GM-0003 local-address 10.10.100.1 set security group-vpn server ike gateway GM-0004 ike-policy GMs set security group-vpn server ike gateway GM-0004 address 10.18.104.1 set security group-vpn server ike gateway GM-0004 local-address 10.10.100.1 set security group-vpn server ipsec proposal AES256-SHA256-L3600 authentication-algorithm hmac-sha-256-128 set security group-vpn server ipsec proposal AES256-SHA256-L3600 encryption-algorithm aes-256-cbc set security group-vpn server ipsec proposal AES256-SHA256-L3600 lifetime-seconds 3600 set security group-vpn server group GROUP_ID-0001 group-id 1 set security group-vpn server group GROUP_ID-0001 member-threshold 2000 set security group-vpn server group GROUP_ID-0001 ike-gateway GM-0001 set security group-vpn server group GROUP_ID-0001 ike-gateway GM-0002 set security group-vpn server group GROUP_ID-0001 ike-gateway GM-0003 set security group-vpn server group GROUP_ID-0001 ike-gateway GM-0004 set security group-vpn server group GROUP_ID-0001 ike-gateway GM-0005 set security group-vpn server group GROUP_ID-0001 anti-replay-time-window 1000 set security group-vpn server group GROUP_ID-0001 server-member-communication communication-type unicast set security group-vpn server group GROUP_ID-0001 server-member-communication encryption-algorithm aes-256-cbc set security group-vpn server group GROUP_ID-0001 server-member-communication lifetime-seconds 7200 set security group-vpn server group GROUP_ID-0001 server-member-communication sig-hash-algorithm sha-256 set security group-vpn server group GROUP_ID-0001 ipsec-sa GROUP_ID-0001 proposal AES256-SHA256-L3600 set security group-vpn server group GROUP_ID-0001 ipsec-sa GROUP_ID-0001 match-policy 1 source 172.16.0.0/12 set security group-vpn server group GROUP_ID-0001 ipsec-sa GROUP_ID-0001 match-policy 1 destination 172.16.0.0/12 set security group-vpn server group GROUP_ID-0001 ipsec-sa GROUP_ID-0001 match-policy 1 protocol 0
分步过程
下面的示例要求您在各个配置层级中进行导航。有关操作说明,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置组 VPNv2 服务器,请执行以下操作:
配置接口、安全区域和安全策略。
content_copy zoom_out_map[edit interfaces] user@host# set ge-0/0/1 unit 0 family inet address 10.10.100.1/24 [edit security zones security-zone GROUPVPN] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services ssh user@host# set host-inbound-traffic system-services ping user@host# set interfaces ge-0/0/1.0 [edit security policies] user@host# set global policy 1000 match source-address any user@host# set global policy 1000 match destination-address any user@host# set global policy 1000 match application any user@host# set global policy 1000 match from-zone any user@host# set global policy 1000 match to-zone any user@host# set global policy 1000 then reject user@host# set global policy 1000 then log session-init user@host# set global policy 1000 then count user@host# set default-policy deny-all
配置静态路由。
content_copy zoom_out_map[edit routing-options] user@host# set static route 10.18.101.0/24 next-hop 10.10.100.254 user@host# set static route 10.18.102.0/24 next-hop 10.10.100.254 user@host# set static route 10.18.103.0/24 next-hop 10.10.100.254 user@host# set static route 10.18.104.0/24 next-hop 10.10.100.254
配置 IKE 提议、策略和网关。
content_copy zoom_out_map[edit security group-vpn server ike proposal PSK-SHA256-DH14-AES256] user@host# set authentication-method pre-shared-keys user@host# set authentication-algorithm sha-256 user@host# set dh-group group14 user@host# set encryption-algorithm aes-256-cbc [edit security group-vpn server ike policy GMs] user@host# set mode main user@host# set proposals PSK-SHA256-DH14-AES256 user@host# set pre-shared-key ascii-text "$ABC123" [edit security group-vpn server ike gateway GM-0001] user@host# set ike-policy GMs user@host# set address 10.18.101.1 user@host# set local-address 10.10.100.1 [edit security group-vpn server ike gateway GM-0002] user@host# set ike-policy GMs user@host# set address 10.18.102.1 user@host# set local-address 10.10.100.1 [edit security group-vpn server ike gateway GM-0003] user@host# set ike-policy GMs user@host# set address 10.18.103.1 user@host# set local-address 10.10.100.1 [edit security group-vpn server ike gateway GM-0004] user@host# set ike-policy GMs user@host# set address 10.18.104.1 user@host# set local-address 10.10.100.1
配置 IPsec 提议。
content_copy zoom_out_map[edit security group-vpn server ipsec proposal AES256-SHA256-L3600] user@host# set authentication-algorithm hmac-sha-256-128 user@host# set encryption-algorithm aes-256-cbc user@host# set lifetime-seconds 3600 VPN Group
配置组。
content_copy zoom_out_map[edit security group-vpn server group GROUP_ID-0001] user@host# set group-id 1 user@host# set member-threshold 2000 user@host# set ike-gateway GM-0001 user@host# set ike-gateway GM-0002 user@host# set ike-gateway GM-0003 user@host# set ike-gateway GM-0004 user@host# set anti-replay-time-window 1000
配置服务器到成员的通信。
content_copy zoom_out_map[edit security group-vpn server group GROUP_ID-0001 server-member-communication] user@host# set communication-type unicast user@host# set encryption-algorithm aes-256-cbc user@host# set lifetime-seconds 7200 user@host# set sig-hash-algorithm sha-256
配置要下载给组成员的组策略。
content_copy zoom_out_map[edit security group-vpn server group GROUP_ID-0001 ipsec-sa GROUP_ID-0001] user@host# set proposal AES256-SHA256-L3600 user@host# set match-policy 1 source 172.16.0.0/12 user@host# set match-policy 1 destination 172.16.0.0/12 user@host# set match-policy 1 protocol 0
结果
在配置模式下,输入 show interfaces、 show routing-options和 show security 命令确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/1 {
unit 0 {
family inet {
address 10.10.100.1/24;
}
}
}
[edit]
user@host# show routing-options
static {
route 10.18.101.0/24 next-hop 10.10.100.254;
route 10.18.102.0/24 next-hop 10.10.100.254;
route 10.18.103.0/24 next-hop 10.10.100.254;
route 10.18.104.0/24 next-hop 10.10.100.254;
}
[edit]
user@host# show security
group-vpn {
server {
ike {
proposal PSK-SHA256-DH14-AES256 {
authentication-method pre-shared-keys;
authentication-algorithm sha-256;
dh-group group14;
encryption-algorithm aes-256-cbc;
}
policy GMs {
mode main;
proposals PSK-SHA256-DH14-AES256;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway GM-0001 {
ike-policy GMs;
address 10.18.101.1;
local-address 10.10.100.1;
}
gateway GM-0002 {
ike-policy GMs;
address 10.18.102.1;
local-address 10.10.100.1;
}
gateway GM-0003 {
ike-policy GMs;
address 10.18.103.1;
local-address 10.10.100.1;
}
gateway GM-0004 {
ike-policy GMs;
address 10.18.104.1;
local-address 10.10.100.1;
}
}
ipsec {
proposal AES256-SHA256-L3600 {
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
}
group GROUP_ID-0001 {
group-id 1;
member-threshold 2000;
ike-gateway GM-0001;
ike-gateway GM-0002;
ike-gateway GM-0003;
ike-gateway GM-0004;
anti-replay-time-window 1000;
server-member-communication {
communication-type unicast;
lifetime-seconds 7200;
encryption-algorithm aes-256-cbc;
sig-hash-algorithm sha-256;
}
ipsec-sa GROUP_ID-0001 {
proposal AES256-SHA256-L3600;
match-policy 1 {
source 172.16.0.0/12;
destination 172.16.0.0/12;
protocol 0;
}
}
}
}
}
policies {
global {
policy 1000 {
match {
source-address any;
destination-address any;
application any;
from-zone any;
to-zone any;
}
then {
reject;
log {
session-init;
}
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone GROUPVPN {
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
如果完成设备配置,请从配置模式输入 commit。
配置组成员 GM-0001(SRX 系列防火墙或 vSRX 虚拟防火墙实例)
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层级的 CLI 中,然后从配置模式进入 commit 。
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description To_LAN set interfaces ge-0/0/0 unit 0 family inet address 172.16.101.1/24 set interfaces ge-0/0/1 unit 0 description To_KeySrv set interfaces ge-0/0/1 unit 0 family inet address 10.18.101.1/24 set security zones security-zone LAN host-inbound-traffic system-services ike set security zones security-zone LAN host-inbound-traffic system-services ssh set security zones security-zone LAN host-inbound-traffic system-services ping set security zones security-zone LAN interfaces ge-0/0/0.0 set security zones security-zone WAN host-inbound-traffic system-services ike set security zones security-zone WAN host-inbound-traffic system-services ssh set security zones security-zone WAN host-inbound-traffic system-services ping set security zones security-zone WAN interfaces ge-0/0/1.0 set security address-book global address 172.16.0.0/12 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match source-address 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match destination-address 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match application any set security policies from-zone LAN to-zone WAN policy 1 then permit set security policies from-zone LAN to-zone WAN policy 1 then log session-init set security policies from-zone WAN to-zone LAN policy 1 match source-address 172.16.0.0/12 set security policies from-zone WAN to-zone LAN policy 1 match destination-address 172.16.0.0/12 set security policies from-zone WAN to-zone LAN policy 1 match application any set security policies from-zone WAN to-zone LAN policy 1 then permit set security policies from-zone WAN to-zone LAN policy 1 then log session-init set security policies global policy 1000 match source-address any set security policies global policy 1000 match destination-address any set security policies global policy 1000 match application any set security policies global policy 1000 match from-zone any set security policies global policy 1000 match to-zone any set security policies global policy 1000 then reject set security policies global policy 1000 then log session-init set security policies global policy 1000 then count set security policies default-policy deny-all set routing-options static route 10.18.102.0/24 next-hop 10.18.101.254 set routing-options static route 10.18.103.0/24 next-hop 10.18.101.254 set routing-options static route 10.18.104.0/24 next-hop 10.18.101.254 set routing-options static route 172.16.101.0/24 next-hop 10.18.101.254 set routing-options static route 172.16.102.0/24 next-hop 10.18.101.254 set routing-options static route 172.16.103.0/24 next-hop 10.18.101.254 set routing-options static route 172.16.104.0/24 next-hop 10.18.101.254 set routing-options static route 10.10.100.0/24 next-hop 10.18.101.254 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-method pre-shared-keys set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 dh-group group14 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-algorithm sha-256 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 encryption-algorithm aes-256-cbc set security group-vpn member ike policy KeySrv mode main set security group-vpn member ike policy KeySrv proposals PSK-SHA256-DH14-AES256 set security group-vpn member ike policy KeySrv pre-shared-key ascii-text "$ABC123" set security group-vpn member ike gateway KeySrv ike-policy KeySrv set security group-vpn member ike gateway KeySrv server-address 10.10.100.1 set security group-vpn member ike gateway KeySrv local-address 10.18.101.1 set security group-vpn member ipsec vpn GROUP_ID-0001 ike-gateway KeySrv set security group-vpn member ipsec vpn GROUP_ID-0001 group-vpn-external-interface ge-0/0/1.0 set security group-vpn member ipsec vpn GROUP_ID-0001 group 1 set security group-vpn member ipsec vpn GROUP_ID-0001 recovery-probe set security ipsec-policy from-zone LAN to-zone WAN ipsec-group-vpn GROUP_ID-0001
分步过程
下面的示例要求您在各个配置层级中进行导航。有关操作说明,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置组 VPNv2 成员,请执行以下操作:
配置接口、安全区域和安全策略。
content_copy zoom_out_map[edit interfaces] user@host# set ge-0/0/0 unit 0 description To_LAN user@host# set ge-0/0/0 unit 0 family inet address 172.16.101.1/24 user@host# set ge-0/0/1 unit 0 description To_KeySrv user@host# set ge-0/0/1 unit 0 family inet address 10.18.101.1/24 [edit security zones security-zone LAN] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services ssh user@host# set host-inbound-traffic system-services ping user@host# set interfaces ge-0/0/0.0 [edit security] user@host# set address-book global address 172.16.0.0/12 172.16.0.0/12 [edit security zones security-zone WAN] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services ssh user@host# set host-inbound-traffic system-services ping user@host# set interfaces ge-0/0/1.0 [edit security policies from-zone LAN to-zone WAN] user@host# set policy 1 match source-address 172.16.0.0/12 user@host# set policy 1 match destination-address 172.16.0.0/12 user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set then log session-init [edit security policies from-zone WAN to-zone LAN user@host# set policy 1 match source-address 172.16.0.0/12 user@host# set policy 1 match destination-address 172.16.0.0/12 user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set then log session-init [edit security policies] user@host# set global policy 1000 match source-address any user@host# set global policy 1000 match destination-address any user@host# set global policy 1000 match application any user@host# set global policy 1000 match from-zone any user@host# set global policy 1000 match to-zone any user@host# set global policy 1000 match then reject user@host# set global policy 1000 match then log session-init user@host# set global policy 1000 match then count user@host# set default-policy deny-all
配置静态路由。
content_copy zoom_out_map[edit routing-options] user@host# set static route 10.18.102.0/24 next-hop 10.18.101.254 user@host# set static route 10.18.103.0/24 next-hop 10.18.101.254 user@host# set static route 10.18.104.0/24 next-hop 10.18.101.254 user@host# set static route 172.16.101.0/24 next-hop 10.18.101.254 user@host# set static route 172.16.102.0/24 next-hop 10.18.101.254 user@host# set static route 172.16.103.0/24 next-hop 10.18.101.254 user@host# set static route 172.16.104.0/24 next-hop 10.18.101.254 user@host# set static route 10.10.100.0/24 next-hop 10.18.101.254
配置 IKE 提议、策略和网关。
content_copy zoom_out_map[edit security group-vpn member ike proposal PSK-SHA256-DH14-AES256] user@host# set authentication-method pre-shared-keys user@host# set authentication-algorithm sha-256 user@host# set dh-group group14 user@host# set encryption-algorithm aes-256-cbc [edit security group-vpn member ike policy KeySrv ] user@host# set mode main user@host# set proposals PSK-SHA256-DH14-AES256 user@host# set pre-shared-key ascii-text "$ABC123" [edit security group-vpn member ike gateway KeySrv] user@host# set ike-policy KeySrv user@host# set server-address 10.10.100.1 user@host# set local-address 10.18.101.1
配置 IPsec SA。
content_copy zoom_out_map[edit security group-vpn member ipsec vpn GROUP_ID-0001] user@host# set ike-gateway KeySrv user@host# set group-vpn-external-interface ge-0/0/1.0 user@host# set group 1 user@host# set recovery-probe
配置 IPsec 策略。
content_copy zoom_out_map[edit security ipsec-policy from-zone LAN to-zone WAN] user@host# set ipsec-group-vpn GROUP_ID-0001
结果
在配置模式下,输入 show interfaces、 show routing-options和 show security 命令确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
description To_LAN;
family inet {
address 172.16.101.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description To_KeySrv;
family inet {
address 10.18.101.1/24;
}
}
}
[edit]
user@host# show routing-options
static {
route 10.18.102.0/24 next-hop 10.18.101.254;
route 10.18.103.0/24 next-hop 10.18.101.254;
route 10.18.104.0/24 next-hop 10.18.101.254;
route 172.16.101.0/24 next-hop 10.18.101.254;
route 172.16.102.0/24 next-hop 10.18.101.254;
route 172.16.103.0/24 next-hop 10.18.101.254;
route 172.16.104.0/24 next-hop 10.18.101.254;
route 10.10.100.0/24 next-hop 10.18.101.254;
}
[edit]
user@host# show security
address-book {
global {
address 172.16.0.0/12 172.16.0.0/12;
}
}
group-vpn {
member {
ike {
proposal PSK-SHA256-DH14-AES256 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy KeySrv {
mode main;
proposals PSK-SHA256-DH14-AES256;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway KeySrv {
ike-policy KeySrv;
server-address 10.10.100.1;
local-address 10.18.101.1;
}
}
ipsec {
vpn GROUP_ID-0001 {
ike-gateway KeySrv;
group-vpn-external-interface ge-0/0/1.0;
group 1;
recovery-probe;
}
}
}
}
ipsec-policy {
from-zone LAN to-zone WAN {
ipsec-group-vpn GROUP_ID-0001;
}
}
policies {
from-zone LAN to-zone WAN {
policy 1 {
match {
source-address 172.16.0.0/12;
destination-address 172.16.0.0/12;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone WAN to-zone LAN {
policy 1 {
match {
source-address 172.16.0.0/12;
destination-address 172.16.0.0/12;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
global {
policy 1000 {
match {
source-address any;
destination-address any;
application any;
from-zone any;
to-zone any;
}
then {
reject;
log {
session-init;
}
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone LAN {
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone WAN {
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
如果完成设备配置,请从配置模式输入 commit。
配置组成员 GM-0002(SRX 系列防火墙或 vSRX 虚拟防火墙实例)
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层级的 CLI 中,然后从配置模式进入 commit 。
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description To_LAN set interfaces ge-0/0/0 unit 0 family inet address 172.16.102.1/24 set interfaces ge-0/0/1 unit 0 description To_KeySrv set interfaces ge-0/0/1 unit 0 family inet address 10.18.102.1/24 set security zones security-zone LAN host-inbound-traffic system-services ike set security zones security-zone LAN host-inbound-traffic system-services ssh set security zones security-zone LAN host-inbound-traffic system-services ping set security zones security-zone LAN interfaces ge-0/0/0.0 set security zones security-zone WAN host-inbound-traffic system-services ike set security zones security-zone WAN host-inbound-traffic system-services ssh set security zones security-zone WAN host-inbound-traffic system-services ping set security zones security-zone WAN interfaces ge-0/0/1.0 set security address-book global address 172.16.0.0/12 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match source-address 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match destination-address 172.16.0.0/12 set security policies from-zone LAN to-zone WAN policy 1 match application any set security policies from-zone LAN to-zone WAN policy 1 then permit set security policies from-zone LAN to-zone WAN policy 1 then log session-init set security policies from-zone WAN to-zone LAN policy 1 match source-address 172.16.0.0/12 set security policies from-zone WAN to-zone LAN policy 1 match destination-address 172.16.0.0/12 set security policies from-zone WAN to-zone LAN policy 1 match application any set security policies from-zone WAN to-zone LAN policy 1 then permit set security policies from-zone WAN to-zone LAN policy 1 then log session-init set security policies global policy 1000 match source-address any set security policies global policy 1000 match destination-address any set security policies global policy 1000 match application any set security policies global policy 1000 match from-zone any set security policies global policy 1000 match to-zone any set security policies global policy 1000 then reject set security policies global policy 1000 then log session-init set security policies global policy 1000 then count set security policies default-policy deny-all set routing-options static route 10.18.101.0/24 next-hop 10.18.102.254 set routing-options static route 10.18.103.0/24 next-hop 10.18.102.254 set routing-options static route 10.18.104.0/24 next-hop 10.18.102.254 set routing-options static route 172.16.101.0/24 next-hop 10.18.102.254 set routing-options static route 172.16.102.0/24 next-hop 10.18.102.254 set routing-options static route 172.16.103.0/24 next-hop 10.18.102.254 set routing-options static route 172.16.104.0/24 next-hop 10.18.102.254 set routing-options static route 10.10.100.0/24 next-hop 10.18.102.254 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-method pre-shared-keys set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 dh-group group14 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-algorithm sha-256 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 encryption-algorithm aes-256-cbc set security group-vpn member ike policy KeySrv mode main set security group-vpn member ike policy KeySrv proposals PSK-SHA256-DH14-AES256 set security group-vpn member ike policy KeySrv pre-shared-key ascii-text "$ABC123" set security group-vpn member ike gateway KeySrv ike-policy KeySrv set security group-vpn member ike gateway KeySrv server-address 10.10.100.1 set security group-vpn member ike gateway KeySrv local-address 10.18.102.1 set security group-vpn member ipsec vpn GROUP_ID-0001 ike-gateway KeySrv set security group-vpn member ipsec vpn GROUP_ID-0001 group-vpn-external-interface ge-0/0/1.0 set security group-vpn member ipsec vpn GROUP_ID-0001 group 1 set security group-vpn member ipsec vpn GROUP_ID-0001 recovery-probe set security ipsec-policy from-zone LAN to-zone WAN ipsec-group-vpn GROUP_ID-0001
分步过程
下面的示例要求您在各个配置层级中进行导航。有关操作说明,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置组 VPNv2 成员,请执行以下操作:
配置接口、安全区域和安全策略。
content_copy zoom_out_map[edit interfaces] user@host# set ge-0/0/0 unit 0 description To_LAN user@host# set ge-0/0/0 unit 0 family inet address 172.16.102.1/24 user@host# set ge-0/0/1 unit 0 description To_KeySrv user@host# set ge-0/0/1 unit 0 family inet address 10.18.101.1/24 [edit security zones security-zone LAN] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services ssh user@host# set host-inbound-traffic system-services ping user@host# set interfaces ge-0/0/0.0 [edit security zones security-zone WAN] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services ssh user@host# set host-inbound-traffic system-services ping user@host# set interfaces ge-0/0/1.0 [edit security] user@host# set address-book global address 172.16.0.0/12 172.16.0.0/12 [edit security policies from-zone LAN to-zone WAN] user@host# set policy 1 match source-address 172.16.0.0/12 user@host# set policy 1 match destination-address 172.16.0.0/12 user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set then log session-init [edit security policies from-zone WAN to-zone LAN user@host# set policy 1 match source-address 172.16.0.0/12 user@host# set policy 1 match destination-address 172.16.0.0/12 user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set then log session-init [edit security policies] user@host# set global policy 1000 match source-address any user@host# set global policy 1000 match destination-address any user@host# set global policy 1000 match application any user@host# set global policy 1000 match from-zone any user@host# set global policy 1000 match to-zone any user@host# set global policy 1000 match then reject user@host# set global policy 1000 match then log session-init user@host# set global policy 1000 match then count user@host# set default-policy deny-all
配置静态路由。
content_copy zoom_out_map[edit routing-options] user@host# set static route 10.18.101.0/24 next-hop 10.18.102.254 user@host# set static route 10.18.103.0/24 next-hop 10.18.102.254 user@host# set static route 10.18.104.0/24 next-hop 10.18.102.254 user@host# set static route 172.16.101.0/24 next-hop 10.18.102.254 user@host# set static route 172.16.102.0/24 next-hop 10.18.102.254 user@host# set static route 172.16.103.0/24 next-hop 10.18.102.254 user@host# set static route 172.16.104.0/24 next-hop 10.18.102.254 user@host# set static route 10.10.100.0/24 next-hop 10.18.102.254
配置 IKE 提议、策略和网关。
content_copy zoom_out_map[edit security group-vpn member ike proposal PSK-SHA256-DH14-AES256] user@host# set authentication-method pre-shared-keys user@host# set authentication-algorithm sha-256 user@host# set dh-group group14 user@host# set encryption-algorithm aes-256-cbc [edit security group-vpn member ike policy KeySrv ] user@host# set mode main user@host# set proposals PSK-SHA256-DH14-AES256 user@host# set pre-shared-key ascii-text "$ABC123" [edit security group-vpn member ike gateway KeySrv] user@host# set ike-policy KeySrv user@host# set server-address 10.10.100.1 user@host# set local-address 10.18.102.1
配置 IPsec SA。
content_copy zoom_out_map[edit security group-vpn member ipsec vpn GROUP_ID-0001] user@host# set ike-gateway KeySrv user@host# set group-vpn-external-interface ge-0/0/1.0 user@host# set group 1 user@host# set recovery-probe
配置 IPsec 策略。
content_copy zoom_out_map[edit security ipsec-policy from-zone LAN to-zone WAN] user@host# set ipsec-group-vpn GROUP_ID-0001
结果
在配置模式下,输入 show interfaces、 show routing-options和 show security 命令确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
description To_LAN;
family inet {
address 172.16.102.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description To_KeySrv;
family inet {
address 10.18.102.1/24;
}
}
}
[edit]
user@host# show routing-options
static {
route 10.18.101.0/24 next-hop 10.18.102.254;
route 10.18.103.0/24 next-hop 10.18.102.254;
route 10.18.104.0/24 next-hop 10.18.102.254;
route 172.16.101.0/24 next-hop 10.18.102.254;
route 172.16.102.0/24 next-hop 10.18.102.254;
route 172.16.103.0/24 next-hop 10.18.102.254;
route 172.16.104.0/24 next-hop 10.18.102.254;
route 10.10.100.0/24 next-hop 10.18.102.254;
}
[edit]
user@host# show security
address-book {
global {
address 172.16.0.0/12 172.16.0.0/12;
}
}
group-vpn {
member {
ike {
proposal PSK-SHA256-DH14-AES256 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy KeySrv {
mode main;
proposals PSK-SHA256-DH14-AES256;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway KeySrv {
ike-policy KeySrv;
server-address 10.10.100.1;
local-address 10.18.102.1;
}
}
ipsec {
vpn GROUP_ID-0001 {
ike-gateway KeySrv;
group-vpn-external-interface ge-0/0/1.0;
group 1;
recovery-probe;
}
}
}
}
policies {
from-zone LAN to-zone WAN {
policy 1 {
match {
source-address 172.16.0.0/12;
destination-address 172.16.0.0/12;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone WAN to-zone LAN {
policy 1 {
match {
source-address 172.16.0.0/12;
destination-address 172.16.0.0/12;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
global {
policy 1000 {
match {
source-address any;
destination-address any;
application any;
from-zone any;
to-zone any;
}
then {
reject;
log {
session-init;
}
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone LAN {
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone WAN {
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
如果完成设备配置,请从配置模式输入 commit。
配置组成员 GM-0003(MX 系列设备)
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层级的 CLI 中,然后从配置模式进入 commit 。
content_copy zoom_out_map
set interfaces xe-0/0/1 unit 0 family inet service input service-set GROUP_ID-0001 service-filter GroupVPN-KS set interfaces xe-0/0/1 unit 0 family inet service output service-set GROUP_ID-0001 service-filter GroupVPN-KS set interfaces xe-0/0/1 unit 0 family inet address 10.18.103.1/24 set interfaces xe-0/0/2 unit 0 family inet address 172.16.103.1/24 set interfaces ms-0/2/0 unit 0 family inet set routing-options static route 10.18.101.0/24 next-hop 10.18.103.254 set routing-options static route 10.18.102.0/24 next-hop 10.18.103.254 set routing-options static route 10.18.104.0/24 next-hop 10.18.103.254 set routing-options static route 172.16.101.0/24 next-hop 10.18.103.254 set routing-options static route 172.16.102.0/24 next-hop 10.18.103.254 set routing-options static route 172.16.103.0/24 next-hop 10.18.103.254 set routing-options static route 172.16.104.0/24 next-hop 10.18.103.254 set routing-options static route 10.10.100.0/24 next-hop 10.18.103.254 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-method pre-shared-keys set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 dh-group group14 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-algorithm sha-256 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 encryption-algorithm aes-256-cbc set security group-vpn member ike policy KeySrv mode main set security group-vpn member ike policy KeySrv proposals PSK-SHA256-DH14-AES256 set security group-vpn member ike policy KeySrv pre-shared-key ascii-text "$ABC123" set security group-vpn member ike gateway KeySrv ike-policy KeySrv set security group-vpn member ike gateway KeySrv server-address 10.10.100.1 set security group-vpn member ike gateway KeySrv local-address 10.18.103.1 set security group-vpn member ipsec vpn GROUP_ID-0001 ike-gateway KeySrv set security group-vpn member ipsec vpn GROUP_ID-0001 group 1 set security group-vpn member ipsec vpn GROUP_ID-0001 match-direction output set security group-vpn member ipsec vpn GROUP_ID-0001 tunnel-mtu 1400 set security group-vpn member ipsec vpn GROUP_ID-0001 df-bit clear set services service-set GROUP_ID-0001 interface-service service-interface ms-0/2/0.0 set services service-set GROUP_ID-0001 ipsec-group-vpn GROUP_ID-0001 set firewall family inet service-filter GroupVPN-KS term inbound-ks from destination-address 10.10.100.1/32 set firewall family inet service-filter GroupVPN-KS term inbound-ks from source-address 10.10.100.1/32 set firewall family inet service-filter GroupVPN-KS term inbound-ks then skip set firewall family inet service-filter GroupVPN-KS term outbound-ks from destination-address 10.10.100.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks then skip set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 from source-address 172.16.0.0/12 set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 from destination-address 172.16.0.0/12 set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 then service
分步过程
要配置组 VPNv2 成员,请执行以下操作:
配置接口。
content_copy zoom_out_map[edit interfaces] user@host# set xe-0/0/1 unit 0 family inet service input service-set GROUP_ID-0001 service-filter GroupVPN-KS user@host# set xe-0/0/1 unit 0 family inet service output service-set GROUP_ID-0001 service-filter GroupVPN-KS user@host# set xe-0/0/1 unit 0 family inet address 10.18.103.1/24 user@host# set xe-0/0/2 unit 0 family inet address 172.16.103.1/24 user@host# set ms-0/2/0 unit 0 family inet
配置路由。
content_copy zoom_out_map[edit routing-options] user@host# set static route 10.18.101.0/24 next-hop 10.18.103.254 user@host# set static route 10.18.102.0/24 next-hop 10.18.103.254 user@host# set static route 10.18.104.0/24 next-hop 10.18.103.254 user@host# set static route 172.16.101.0/24 next-hop 10.18.103.254 user@host# set static route 172.16.102.0/24 next-hop 10.18.103.254 user@host# set static route 172.16.103.0/24 next-hop 10.18.103.254 user@host# set static route 172.16.104.0/24 next-hop 10.18.103.254 user@host# set static route 10.10.100.0/24 next-hop 10.18.103.254
配置 IKE 提议、策略和网关。
content_copy zoom_out_map[edit security group-vpn member ike proposal PSK-SHA256-DH14-AES256 ] user@host# set authentication-method pre-shared-keys user@host# set group group14 user@host# set authentication-algorithm sha-256 user@host# set encryption-algorithm aes-256-cbc [edit security group-vpn member ike policy KeySrv ] user@host# set mode main user@host# set proposals PSK-SHA256-DH14-AES256 user@host# set pre-shared-key ascii-text "$ABC123" [edit security group-vpn member ike gateway KeySrv] user@host# set ike-policy KeySrv user@host# set server-address 10.10.100.1 user@host# set local-address 10.18.103.1
配置 IPsec SA。
content_copy zoom_out_map[edit security group-vpn member ipsec vpn GROUP_ID-0001] user@host# set ike-gateway KeySrv user@host# set group 1 user@host# set match-direction output user@host# set tunnel-mtu 1400 user@host# set df-bit clear
配置服务筛选器。
content_copy zoom_out_map[edit firewall family inet service-filter GroupVPN-KS] user@host# set term inbound-ks from destination-address 10.10.100.1/32 user@host# set term inbound-ks from source-address 10.10.100.1/32 user@host# set term inbound-ks then skip user@host# set term outbound-ks from destination-address 10.10.100.1/32 user@host# set term outbound-ks then skip user@host# set term GROUP_ID-0001 from source-address 172.16.0.0/12 user@host# set term GROUP_ID-0001 from destination-address 172.16.0.0/12 user@host# set term GROUP_ID-0001 then service
配置服务集。
content_copy zoom_out_map[edit services service-set GROUP_ID-0001] user@host# set interface-service service-interface ms-0/2/0.0 user@host# set ipsec-group-vpn GROUP_ID-0001
结果
在配置模式下,输入 show interfaces、 show routing-options、 show servicesshow security和show firewall命令来确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
content_copy zoom_out_map
[edit]
user@host# show interfaces
xe-0/0/1 {
unit 0 {
family inet {
service {
input {
service-set GROUP_ID-0001 service-filter GroupVPN-KS;
}
output {
service-set GROUP_ID-0001 service-filter GroupVPN-KS;
}
}
address 10.18.103.1/24;
}
}
}
xe-0/0/2 {
unit 0 {
family inet {
address 172.16.103.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
[edit]
user@host# show routing-options
static {
route 10.18.101.0/24 next-hop 10.18.103.254;
route 10.18.102.0/24 next-hop 10.18.103.254;
route 10.18.104.0/24 next-hop 10.18.103.254;
route 172.16.101.0/24 next-hop 10.18.103.254;
route 172.16.102.0/24 next-hop 10.18.103.254;
route 172.16.103.0/24 next-hop 10.18.103.254;
route 172.16.104.0/24 next-hop 10.18.103.254;
}
[edit]
user@host# show security
group-vpn {
member {
ike {
proposal PSK-SHA256-DH14-AES256 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy KeySrv {
mode main;
proposals PSK-SHA256-DH14-AES256;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway KeySrv {
ike-policy KeySrv;
local-address 10.18.103.1;
server-address 10.10.101.1;
}
}
ipsec {
vpn GROUP_ID-0001 {
ike-gateway KeySrv
group 1;
match-direction output;
tunnel-mtu 1400;
df-bit clear;
}
}
}
}
[edit]
user@host# show services
service-set GROUP_ID-0001 {
interface-service {
service-interface ms-0/2/0.0;
}
ipsec-group-vpn GROUP_ID-0001;
}
[edit]
user@host# show firewall
family inet {
service-filter GroupVPN-KS {
term inbound-ks {
from {
destination-address {
10.10.100.1/32;
}
source-address {
10.10.100.1/32;
}
}
then skip;
}
term outbound-ks {
from {
destination-address {
10.10.100.1/32;
}
}
then skip;
}
term GROUP_ID-0001 {
from {
source-address {
172.16.0.0/12;
}
destination-address {
172.16.0.0/12;
}
}
then service;
}
}
}
配置组成员 GM-0004(MX 系列设备)
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层级的 CLI 中,然后从配置模式进入 commit 。
content_copy zoom_out_map
set interfaces xe-0/0/1 unit 0 family inet service input service-set GROUP_ID-0001 service-filter GroupVPN-KS set interfaces xe-0/0/1 unit 0 family inet service output service-set GROUP_ID-0001 service-filter GroupVPN-KS set interfaces xe-0/0/1 unit 0 family inet address 10.18.104.1/24 set interfaces xe-0/0/2 unit 0 family inet address 172.16.104.1/24 set interfaces ms-0/2/0 unit 0 family inet set routing-options static route 10.18.101.0/24 next-hop 10.18.104.254 set routing-options static route 10.18.102.0/24 next-hop 10.18.104.254 set routing-options static route 10.18.103.0/24 next-hop 10.18.104.254 set routing-options static route 172.16.101.0/24 next-hop 10.18.104.254 set routing-options static route 172.16.102.0/24 next-hop 10.18.104.254 set routing-options static route 172.16.103.0/24 next-hop 10.18.104.254 set routing-options static route 172.16.104.0/24 next-hop 10.18.104.254 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-method pre-shared-keys set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 dh-group group14 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 authentication-algorithm sha-256 set security group-vpn member ike proposal PSK-SHA256-DH14-AES256 encryption-algorithm aes-256-cbc set security group-vpn member ike policy SubSrv mode main set security group-vpn member ike policy SubSrv proposals PSK-SHA256-DH14-AES256 set security group-vpn member ike policy SubSrv pre-shared-key ascii-text "$ABC123" set security group-vpn member ike gateway SubSrv ike-policy SubSrv set security group-vpn member ike gateway SubSrv server-address 10.17.101.1 set security group-vpn member ike gateway SubSrv server-address 10.17.102.1 set security group-vpn member ike gateway SubSrv server-address 10.17.103.1 set security group-vpn member ike gateway SubSrv server-address 10.17.104.1 set security group-vpn member ike gateway SubSrv local-address 10.18.104.1 set security group-vpn member ipsec vpn GROUP_ID-0001 ike-gateway SubSrv set security group-vpn member ipsec vpn GROUP_ID-0001 group 1 set security group-vpn member ipsec vpn GROUP_ID-0001 match-direction output set security group-vpn member ipsec vpn GROUP_ID-0001 tunnel-mtu 1400 set security group-vpn member ipsec vpn GROUP_ID-0001 df-bit clear set services service-set GROUP_ID-0001 interface-service service-interface ms-0/2/0.0 set services service-set GROUP_ID-0001 ipsec-group-vpn GROUP_ID-0001 set firewall family inet service-filter GroupVPN-KS term inbound-ks from destination-address 10.10.100.1/32 set firewall family inet service-filter GroupVPN-KS term inbound-ks from source-address 10.10.100.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks from destination-address 10.17.101.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks from destination-address 10.17.102.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks from destination-address 10.17.103.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks from destination-address 10.17.104.1/32 set firewall family inet service-filter GroupVPN-KS term outbound-ks then skip set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 from source-address 172.16.0.0/12 set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 from destination-address 172.16.0.0/12 set firewall family inet service-filter GroupVPN-KS term GROUP_ID-0001 then service
分步过程
要配置组 VPNv2 成员,请执行以下操作:
配置接口。
content_copy zoom_out_map[edit interfaces] user@host# set xe-0/0/1 unit 0 family inet service input service-set GROUP_ID-0001 service-filter GroupVPN-KS user@host# set xe-0/0/1 unit 0 family inet service output service-set GROUP_ID-0001 service-filter GroupVPN-KS user@host# set xe-0/0/1 unit 0 family inet address 10.18.104.1/24 user@host# set xe-0/0/2 unit 0 family inet address 172.16.104.1/24 user@host# set ms-0/2/0 unit 0 family inet
配置路由。
content_copy zoom_out_map[edit routing-options] user@host# set static route 10.18.101.0/24 next-hop 10.18.104.254 user@host# set static route 10.18.102.0/24 next-hop 10.18.104.254 user@host# set static route 10.18.103.0/24 next-hop 10.18.104.254 user@host# set static route 172.16.101.0/24 next-hop 10.18.104.254 user@host# set static route 172.16.102.0/24 next-hop 10.18.104.254 user@host# set static route 172.16.103.0/24 next-hop 10.18.104.254 user@host# set static route 172.16.104.0/24 next-hop 10.18.104.254
配置 IKE 提议、策略和网关。
content_copy zoom_out_map[edit security group-vpn member ike proposal PSK-SHA256-DH14-AES256 ] user@host# set authentication-method pre-shared-keys user@host# set group group14 user@host# set authentication-algorithm sha-256 user@host# set encryption-algorithm aes-256-cbc [edit security group-vpn member ike policy KeySrv ] user@host# set mode main user@host# set proposals PSK-SHA256-DH14-AES256 user@host# set pre-shared-key ascii-text "$ABC123" [edit security group-vpn member ike gateway KeySrv] user@host# set ike-policy KeySrv user@host# set server-address 10.10.100.1 user@host# set local-address 10.18.104.1
配置 IPsec SA。
content_copy zoom_out_map[edit security group-vpn member ipsec vpn GROUP_ID-0001] user@host# set ike-gateway KeySrv user@host# set group 1 user@host# set match-direction output user@host# set tunnel-mtu 1400 user@host# set df-bit clear
配置服务筛选器。
content_copy zoom_out_map[edit firewall family inet service-filter GroupVPN-KS] user@host# set term inbound-ks from destination-address 10.10.101.1/32 user@host# set term inbound-ks from source-address 10.10.101.1/32 user@host# set term inbound-ks then skip user@host# set term outbound-ks from destination-address 10.17.101.1/32 user@host# set term outbound-ks from destination-address 10.17.102.1/32 user@host# set term outbound-ks from destination-address 10.17.103.1/32 user@host# set term outbound-ks from destination-address 10.17.104.1/32 user@host# set term outbound-ks then skip user@host# set term GROUP_ID-0001 from source-address 172.16.0.0/12 user@host# set term GROUP_ID-0001 from destination-address 172.16.0.0/12 user@host# set term GROUP_ID-0001 then service
配置服务集。
content_copy zoom_out_map[edit services service-set GROUP_ID-0001] user@host# set interface-service service-interface ms-0/2/0.0 user@host# set ipsec-group-vpn GROUP_ID-0001
结果
在配置模式下,输入 show interfaces、 show routing-options、 show servicesshow security和show firewall命令来确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
content_copy zoom_out_map
[edit]
user@host# show interfaces
xe-0/0/1 {
unit 0 {
family inet {
service {
input {
service-set GROUP_ID-0001 service-filter GroupVPN-KS;
}
output {
service-set GROUP_ID-0001 service-filter GroupVPN-KS;
}
}
address 10.18.104.1/24;
}
}
}
xe-0/0/2 {
unit 0 {
family inet {
address 172.16.104.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
[edit]
user@host# show routing-options
static {
route 10.18.101.0/24 next-hop 10.18.104.254;
route 10.18.102.0/24 next-hop 10.18.104.254;
route 10.18.103.0/24 next-hop 10.18.104.254;
route 172.16.101.0/24 next-hop 10.18.104.254;
route 172.16.102.0/24 next-hop 10.18.104.254;
route 172.16.103.0/24 next-hop 10.18.104.254;
route 172.16.104.0/24 next-hop 10.18.104.254;
}
[edit]
user@host# show security
group-vpn {
member {
ike {
proposal PSK-SHA256-DH14-AES256 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy KeySrv {
mode main;
proposals PSK-SHA256-DH14-AES256;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway KeySrv {
ike-policy KeySrv;
local-address 10.18.104.1;
server-address 10.17.101.1;
}
}
ipsec {
vpn GROUP_ID-0001 {
ike-gateway KeySrv
group 1;
match-direction output;
tunnel-mtu 1400;
df-bit clear;
}
}
}
}
[edit]
user@host# show services
service-set GROUP_ID-0001 {
interface-service {
service-interface ms-0/2/0.0;
}
ipsec-group-vpn GROUP_ID-0001;
}
[edit]
user@host# show firewall
family inet {
service-filter GroupVPN-KS {
term inbound-ks {
from {
destination-address {
10.10.100.1/32;
}
source-address {
10.10.100.1/32;
}
}
then skip;
}
term outbound-ks {
from {
destination-address {
10.17.101.1/32;
10.17.102.1/32;
10.17.103.1/32;
10.17.104.1/32;
}
}
then skip;
}
term GROUP_ID-0001 {
from {
source-address {
172.16.0.0/12;
}
destination-address {
172.16.0.0/12;
}
}
then service;
}
}
}
验证
确认配置工作正常。
- 验证组成员注册
- 验证组键是否已分发
- 验证组服务器上的组 VPN SA
- 验证组成员上的组 VPN SA
- 验证组服务器上的 IPsec SA
- 验证组成员上的 IPsec SA
- 验证组策略(仅限 SRX 系列防火墙或 vSRX 虚拟防火墙组成员)
验证组成员注册
目的
验证组成员是否已在服务器上注册。
操作
在操作模式下,在服务器上输入 show security group-vpn server registered-members 和 show security group-vpn server registered-members detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn server registered-members Group: GROUP_ID-0001, Group Id: 1 Total number of registered members: 2 Member Gateway Member IP Last Update Vsys GM-0001 10.18.101.1 Thu Nov 19 2015 16:31:09 root GM-0003 10.18.103.1 Thu Nov 19 2015 16:29:47 root
content_copy zoom_out_map
user@host> show security group-vpn server registered-members detail
GGroup: GROUP_ID-0001, Group Id: 1
Total number of registered members: 2
Member gateway: GM-0001, Member IP: 10.18.101.1, Vsys: root
Last Update: Thu Nov 19 2015 16:31:09
Stats:
Pull Succeeded : 2
Pull Failed : 0
Push Sent : 0
Push Acknowledged : 0
Push Unacknowledged : 0
Member gateway: GM-0003, Member IP: 10.18.103.1, Vsys: root
Last Update: Thu Nov 19 2015 16:29:47
Stats:
Pull Succeeded : 1
Pull Failed : 0
Push Sent : 0
Push Acknowledged : 0
Push Unacknowledged : 0
验证组键是否已分发
目的
验证组键是否已分发给成员。
操作
在操作模式下,在组服务器上输入 show security group-vpn server statistics 命令。
content_copy zoom_out_map
user@host> show security group-vpn server statistics
Group: GROUP_ID-0001, Group Id: 1
Stats:
Pull Succeeded : 4
Pull Failed : 0
Pull Exceed Member Threshold : 0
Push Sent : 0
Push Acknowledged : 0
Push Unacknowledged : 0
验证组服务器上的组 VPN SA
目的
验证组服务器上的组 VPN SA。
操作
在操作模式下,在组服务器上输入 show security group-vpn server kek security-associations 和 show security group-vpn server kek security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn server kek security-associations Index Life:sec Initiator cookie Responder cookie GroupId 738879 1206 a471513492db1e13 24045792a4b3dd64 1
content_copy zoom_out_map
user@host> show security group-vpn server kek security-associations detail Index 738879, Group Name: GROUP_ID-0001, Group Id: 1 Initiator cookie: a471513492db1e13, Responder cookie: 24045792a4b3dd64 Authentication method: RSA Lifetime: Expires in 1204 seconds, Activated Rekey in 694 seconds Algorithms: Sig-hash : sha256 Encryption : aes256-cbc Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Server Member Communication: Unicast Retransmission Period: 10, Number of Retransmissions: 2 Group Key Push sequence number: 0 PUSH negotiations in progress: 0
验证组成员上的组 VPN SA
目的
验证组成员上的组 VPN SA。
操作
在操作模式下,在 SRX 系列防火墙或 vSRX 虚拟防火墙组成员上输入 show security group-vpn member kek security-associations 和 show security group-vpn member kek security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn member kek security-associations Index Server Address Life:sec Initiator cookie Responder cookie GroupId 5455810 10.10.100.1 1093 a471513492db1e13 24045792a4b3dd64 1
content_copy zoom_out_map
user@host> show security group-vpn member kek security-associations detail
Index 5455810, Group Id: 1
Group VPN Name: GROUP_ID-0001
Local Gateway: 10.18.101.1, GDOI Server: 10.10.100.1
Initiator cookie: a471513492db1e13, Responder cookie: 24045792a4b3dd64
Lifetime: Expires in 1090 seconds
Group Key Push Sequence number: 0
Algorithms:
Sig-hash : hmac-sha256-128
Encryption : aes256-cbc
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Stats:
Push received : 0
Delete received : 0
在操作模式下,在 MX 系列组成员上输入 show security group-vpn member kek security-associations 和 show security group-vpn member kek security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn member kek security-associations Index Server Address Life:sec Initiator cookie Responder cookie GroupId 488598 10.10.100.1 963 a471513492db1e13 24045792a4b3dd64 1
content_copy zoom_out_map
user@host> show security group-vpn member kek security-associations detail
Index 488598, Group Id: 1
Group VPN Name: GROUP_ID-0001
Local Gateway: 10.18.103.1, GDOI Server: 10.10.100.1
Initiator cookie: a471513492db1e13, Responder cookie: 24045792a4b3dd64
Lifetime: Expires in 961 seconds
Group Key Push Sequence number: 0
Algorithms:
Sig-hash : hmac-sha256-128
Encryption : aes256-cbc
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Stats:
Push received : 0
Delete received : 0
验证组服务器上的 IPsec SA
目的
验证组服务器上的 IPsec SA。
操作
在操作模式下,在组服务器上输入 show security group-vpn server ipsec security-associations 和 show security group-vpn server ipsec security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn server ipsec security-associations Group: GROUP_ID-0001, Group Id: 1 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime GROUP_ID-0001 ESP:aes-256/sha256 1c548e4e 1156
content_copy zoom_out_map
user@host> show security group-vpn server ipsec security-associations detail
Group: GROUP_ID-0001, Group Id: 1
Total IPsec SAs: 1
IPsec SA: GROUP_ID-0001
Protocol: ESP, Authentication: sha256, Encryption: aes-256
Anti-replay: D3P enabled
SPI: 1c548e4e
Lifetime: Expires in 1152 seconds, Activated
Rekey in 642 seconds
Policy Name: 1
Source: 172.16.0.0/12
Destination: 172.16.0.0/12
Source Port: 0
Destination Port: 0
Protocol: 0
验证组成员上的 IPsec SA
目的
验证组成员上的 IPsec SA。
操作
在操作模式下,在 SRX 系列防火墙或 vSRX 虚拟防火墙组成员上输入 show security group-vpn member ipsec security-associations 和 show security group-vpn member ipsec security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn member ipsec security-associations Total active tunnels: 1 ID Server Port Algorithm SPI Life:sec/kb GId lsys <>49152 10.10.100.1 848 ESP:aes-256/sha256-128 1c548e4e 1073/ unlim 1 root
content_copy zoom_out_map
user@host> show security group-vpn member ipsec security-associations detail
Virtual-system: root Group VPN Name: GROUP_ID-0001
Local Gateway: 10.18.101.1, GDOI Server: 10.10.100.1
Group Id: 1
Routing Instance: default
Recovery Probe: Enabled
DF-bit: clear
Stats:
Pull Succeeded : 4
Pull Failed : 3
Pull Timeout : 3
Pull Aborted : 0
Push Succeeded : 6
Push Failed : 0
Server Failover : 0
Delete Received : 0
Exceed Maximum Keys(4) : 0
Exceed Maximum Policies(10): 0
Unsupported Algo : 0
Flags:
Rekey Needed: no
List of policies received from server:
Tunnel-id: 49152
Source IP: ipv4_subnet(any:0,[0..7]=172.16.0.0/12)
Destination IP: ipv4_subnet(any:0,[0..7]=172.16.0.0/12)
Direction: bi-directional, SPI: 1c548e4e
Protocol: ESP, Authentication: sha256-128, Encryption: aes-256
Hard lifetime: Expires in 1070 seconds, Activated
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 931 seconds
Mode: Tunnel, Type: Group VPN, State: installed
Anti-replay service: D3P enabled
在操作模式下,在 MX 系列组成员上输入 show security group-vpn member ipsec security-associations 和 show security group-vpn member ipsec security-associations detail 命令。
content_copy zoom_out_map
user@host> show security group-vpn member ipsec security-associations Total active tunnels: 1 ID Server Port Algorithm SPI Life:sec/kb GId lsys <>10001 10.10.100.1 848 ESP:aes-256/sha256-128 1c548e4e 947/ unlim 1 root
content_copy zoom_out_map
user@host> show security group-vpn member ipsec security-associations detail
Virtual-system: root Group VPN Name: GROUP_ID-0001
Local Gateway: 10.18.103.1, GDOI Server: 10.10.100.1
Group Id: 1
Rule Match Direction: output, Tunnel-MTU: 1400
Routing Instance: default
DF-bit: clear
Stats:
Pull Succeeded : 2
Pull Failed : 0
Pull Timeout : 1
Pull Aborted : 0
Push Succeeded : 2
Push Failed : 0
Server Failover : 0
Delete Received : 0
Exceed Maximum Keys(4) : 0
Exceed Maximum Policies(1): 0
Unsupported Algo : 0
Flags:
Rekey Needed: no
List of policies received from server:
Tunnel-id: 10001
Source IP: ipv4_subnet(any:0,[0..7]=172.16.0.0/12)
Destination IP: ipv4_subnet(any:0,[0..7]=172.16.0.0/12)
Direction: bi-directional, SPI: 1c548e4e
Protocol: ESP, Authentication: sha256-128, Encryption: aes-256
Hard lifetime: Expires in 945 seconds, Activated
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 840 seconds
Mode: Tunnel, Type: Group VPN, State: installed
Anti-replay service: D3P enabled
验证组策略(仅限 SRX 系列防火墙或 vSRX 虚拟防火墙组成员)
目的
验证 SRX 系列防火墙或 vSRX 虚拟防火墙组成员上的组策略。
操作
在操作模式下,在组成员上输入 show security group-vpn member policy 命令。
content_copy zoom_out_map
user@host> show security group-vpn member policy Group VPN Name: GROUP_ID-0001, Group Id: 1 From-zone: LAN, To-zone: WAN Tunnel-id: 49152, Policy type: Secure Source : IP <172.16.0.0 - 172.31.255.255>, Port <0 - 65535>, Protocol <0> Destination : IP <172.16.0.0 - 172.31.255.255>, Port <0 - 65535>, Protocol <0> Tunnel-id: 63488, Policy type: Fail-close Source : IP <0.0.0.0 - 255.255.255.255>, Port <0 - 65535>, Protocol <0> Destination : IP <0.0.0.0 - 255.255.255.255>, Port <0 - 65535>, Protocol <0>
示例:为单播密钥消息配置组 VPNv2 服务器成员通信
此示例说明如何使服务器能够向组成员发送单播重新生成密钥消息,以确保有效密钥可用于加密组成员之间的流量。SRX300、SRX320、SRX340、SRX345、SRX550HM、SRX1500、SRX4100、SRX4200和 SRX4600 设备和 vSRX 虚拟防火墙实例支持 VPNv2 组。
要求
准备工作:
配置 IKE 第 1 阶段协商的组服务器和成员。
为 IPsec SA 配置组服务器和成员。
在组服务器上配置组
g1。
概述
在此示例中,您将为组 g1指定以下服务器成员通信参数:
服务器向组成员发送单播密钥消息。
AES-128-CBC 用于加密服务器和成员之间的流量。
SHA-256 用于成员身份验证。
默认值用于 KEK 生存期和重新传输。
配置
程序
分步过程
下面的示例要求您在各个配置层级中进行导航。有关操作说明,请参阅在配置模式下使用 CLI 编辑器。
要配置服务器成员通信,请执行以下操作:
设置通信类型。
content_copy zoom_out_map[edit security group-vpn server group g1 server-member-communication] user@host# set communications-type unicast
设置加密算法。
content_copy zoom_out_map[edit security group-vpn server group g1 server-member-communication] user@host# set encryption-algorithm aes-128-cbc
设置成员身份验证。
content_copy zoom_out_map[edit security group-vpn server group g1 server-member-communication] user@host# set sig-hash-algorithm sha-256
验证
要验证配置是否正常工作,请输入 show security group-vpn server group g1 server-member-communication 命令。
